SAMA CSF: Saudi Arabia's Cybersecurity Framework for Financial Institutions | CyberOps
Financial Sector Compliance
SAMA CSF: Protecting Saudi Arabia's Financial Sector
A complete guide to the Saudi Central Bank (SAMA) Cybersecurity Framework — understanding its structure, five core domains, maturity model, mandatory controls, and the step-by-step roadmap every financial institution must follow to achieve and sustain compliance.
June 2025
14 min read
CyberOps GRC Team
Overview
What Is the SAMA Cybersecurity Framework?
The SAMA Cybersecurity Framework (SAMA CSF) is a mandatory cybersecurity governance framework issued by the Saudi Central Bank (SAMA) — Saudi Arabia's central regulatory authority for banking, insurance, and financial market infrastructure. Published in May 2017 and periodically updated, it establishes the minimum cybersecurity baseline that every SAMA-regulated entity must implement, measure, and continuously improve.
The framework draws from internationally recognised standards including ISO/IEC 27001, NIST CSF, PCI-DSS, COBIT 5, and BASEL III, adapting them to the specific risk landscape of the Saudi financial sector. Compliance is not optional — SAMA conducts regular examinations and non-compliance can result in supervisory action, public disclosure, and significant financial penalties.
0
Core Domains
0
Controls & Sub-Controls
0
Maturity Levels
0
Min. Maturity Required
🏦
Who is in scope? All entities regulated and supervised by SAMA — commercial banks, investment banks, exchange companies, insurance companies, reinsurance companies, financing companies, credit bureaus, payment service providers, and financial market infrastructure operators.
Framework Structure
The 5 Core Domains
The SAMA CSF is organised around five core domains, each containing multiple sub-domains and controls. Every domain must be assessed, and each organisation must achieve a minimum maturity level of 3 (Defined) across all domains to be considered compliant.
01
Cybersecurity Leadership & Governance
Establishing a cybersecurity governance structure, board-level accountability, CISO appointment, cybersecurity strategy, policies, and risk appetite framework aligned with business objectives.
28 Controls
02
Cybersecurity Risk Management & Compliance
Cyber risk identification, assessment, treatment, and monitoring. Regulatory compliance tracking, third-party risk management, and audit programme management.
32 Controls
03
Cybersecurity Operations & Technology
Technical security controls: identity & access management, network security, endpoint protection, application security, data security, cryptography, and secure configuration management.
46 Controls
04
Third-Party Cybersecurity
Vendor risk assessment and due diligence, cloud computing security, outsourcing controls, SWIFT and payment system security, and supply chain cybersecurity management.
20 Controls
05
Cybersecurity Resilience
Business continuity planning, disaster recovery, cyber incident response, threat intelligence sharing, forensics capability, and lessons learned programme.
14 Controls
Maturity Model
The 5-Level Maturity Model
The SAMA CSF uses a five-level maturity model to measure how effectively an organisation implements its cybersecurity controls. Every control is assessed against this scale — the goal is to reach and sustain Level 3 (Defined) as the regulatory minimum, with best-practice institutions progressing to Level 4 or 5.
Level 1 — Initial
Ad hoc, undocumented, and reactive. No formal processes.
20%
Level 2 — Repeatable
Basic processes exist but are informal and not consistently applied.
40%
Level 3 — Defined ✓
Standardised, documented, and approved processes. SAMA minimum.
60%
Level 4 — Managed
Processes are measured and controlled using metrics and KPIs.
80%
Level 5 — Optimising
Continuous improvement based on quantitative feedback and innovation.
100%
📊
Assessment cycle: SAMA requires annual self-assessment of cybersecurity maturity across all five domains, submission through SAMA's regulatory portal, and evidence maintenance for independent validation during SAMA examinations — formally approved by the board or equivalent governance body.
Mandatory Requirements
Core Obligations Under SAMA CSF
Beyond the five domains, the SAMA CSF imposes specific operational obligations frequently found deficient during SAMA examinations.
01
Appoint a Dedicated CISO
Every SAMA-regulated entity must appoint a qualified CISO with sufficient authority, independence from IT operations, and direct board reporting access — with certifications and experience commensurate with the organisation's risk profile.
02
Conduct Annual Cyber Risk Assessments
A formal documented cyber risk assessment must be conducted at least annually — identifying assets, threats, vulnerabilities, likelihood, and business impact — feeding directly into the risk register, security investment decisions, and the annual SAMA self-assessment.
03
Implement a Cyber Incident Response Capability
A documented and tested Cyber Incident Response Plan (CIRP) is mandatory — covering detection, containment, eradication, recovery, and lessons learned. SAMA must be notified of significant cyber incidents within 72 hours for major incidents affecting financial services or customer data.
Vulnerability assessments must be performed quarterly for critical systems and annually for all in-scope systems. Annual penetration testing by a qualified third party is required, covering internal and external attack surfaces — with remediation evidence maintained for SAMA audit.
05
Mandatory Security Awareness Training
All employees must complete annual cybersecurity awareness training. Board members and senior management require dedicated briefings. Specialised training is required for IT/security staff. Completion must be tracked, evidenced, and reported in the annual SAMA self-assessment.
06
Third-Party & Cloud Security Assessments
All third-party service providers with system or data access must undergo formal cybersecurity assessment before onboarding and periodically thereafter. Cloud providers must meet SAMA's cloud security requirements, with contractual security obligations embedded in all vendor agreements.
Regulatory Scope
Who Must Comply & Examination Consequences
SAMA conducts ongoing supervisory examinations including formal cybersecurity maturity assessments. The table below summarises entity types in scope and the regulatory consequences of non-compliance:
Entity Type
CSF Applicability
Min. Maturity
Non-Compliance Risk
Commercial & Investment Banks
Full CSF
Level 3
Supervisory action
Insurance & Reinsurance Companies
Full CSF
Level 3
Supervisory action
Financing & Leasing Companies
Full CSF
Level 3
Supervisory action
Payment Service Providers
Full CSF + PCI-DSS
Level 3+
Licence revocation risk
Exchange Companies
Proportional CSF
Level 2–3
Enhanced supervision
FinTech & Digital Banks
Full CSF + Addenda
Level 3+
Licence revocation risk
Compliance Roadmap
How to Achieve SAMA CSF Compliance
Achieving and sustaining SAMA CSF compliance requires a programme-based approach. The following eight-phase roadmap represents CyberOps' proven methodology, refined through successful SAMA CSF engagements across Saudi financial institutions of all sizes.
8-Phase SAMA CSF Compliance Roadmap
01
Scoping & Governance Setup
Define the exact scope of the SAMA CSF assessment across all in-scope systems, applications, and processes. Establish the governance structure — appoint the CISO, form a Cybersecurity Steering Committee with board representation, and document the organisation's cybersecurity strategy and risk appetite aligned with SAMA's requirements.
Week 1–3
02
Maturity Assessment Across All 5 Domains
Conduct a comprehensive maturity assessment of your current cybersecurity posture against all 140 SAMA CSF controls across the five domains. Each control is rated on the 1–5 maturity scale with documented evidence — producing your as-is maturity baseline, the foundation for remediation and the SAMA self-assessment submission.
Week 3–7
03
Cyber Risk Assessment
Conduct the SAMA-mandated formal cyber risk assessment — cataloguing all critical information assets, mapping threat scenarios, assessing vulnerability levels, and producing a prioritised risk register. Outputs must directly inform the remediation plan and cybersecurity investment roadmap.
Week 5–8
04
Remediation Planning & Prioritisation
Convert maturity assessment gaps into a structured remediation roadmap. Prioritise sub-Level 3 controls with the highest risk ratings, assigning clear owners, timelines, budget requirements, and KPIs. Focus first on Domains 3 (Operations) and 5 (Resilience), which carry the heaviest weighting in SAMA examinations.
Week 8–10
05
Technical Controls Implementation
Execute the technical remediation programme — deploying controls required to elevate maturity to Level 3+. Key implementations: MFA, privileged access management, network segmentation, SIEM and SOC capability, DLP, patch management, endpoint protection, and encryption. Every implementation must be documented with configuration evidence for SAMA audit.
Month 3–8
06
Policy & Procedure Library Development
SAMA CSF compliance is heavily documentation-driven. Every domain requires a comprehensive approved policy and procedure library — covering governance, risk management, asset classification, access control, change management, incident response, business continuity, and acceptable use. All policies must be board-approved and evidenced as operational.
Month 2–6
07
Vulnerability Assessment, Pentest & Evidence Pack
Conduct mandatory vulnerability assessments and penetration testing. Remediate all critical and high findings within SAMA's SLA windows. Compile the complete evidence pack — organised by domain and control — including configuration screenshots, policy approvals, training records, scan reports, pentest summaries, and remediation records. This evidence pack forms the backbone of the SAMA self-assessment submission.
Month 6–9
08
SAMA Self-Assessment Submission & Continuous Programme
Complete and submit the annual SAMA CSF self-assessment through SAMA's regulatory portal with board approval. After initial compliance, establish a continuous programme — quarterly maturity reviews, monthly security metrics reporting to board, continuous threat intelligence monitoring, and an annual formal re-assessment cycle. SAMA CSF compliance is a perpetual programme, not a one-time achievement.
Month 9+ Annual
Our Services
CyberOps SAMA CSF Compliance Service
CyberOps has extensive experience supporting SAMA-regulated financial institutions through the full CSF compliance lifecycle. Our GRC team includes former financial sector regulators, CISO-level practitioners, and certified cybersecurity specialists who understand both the regulatory intent and the operational reality of SAMA CSF compliance.
Our end-to-end SAMA CSF service covers: governance setup, CISO advisory, comprehensive maturity assessment, cyber risk assessment, remediation programme delivery, policy library development, vulnerability assessments, penetration testing, evidence pack compilation, SAMA self-assessment support, board-level reporting, examination preparation, and ongoing compliance monitoring.
Start Your SAMA CSF Compliance Journey Today
Get a free maturity readiness assessment from our SAMA CSF specialists. We'll benchmark your current posture and deliver a prioritised roadmap within 5 business days.